130 likes | 209 Views
Discussions on the Life Ray Portal and credential management David Groep , Oct 11 th , 2011. Separation of security functions. EUGridPMA discussion. Separation of functions thin portal: all credential management on dedicated box may combine bridge, MyProxy and Uploader on 1 box
E N D
Discussions on the Life Ray Portal and credential managementDavid Groep, Oct 11th, 2011
EUGridPMA discussion • Separation of functions • thin portal: all credential management on dedicated box • may combine bridge, MyProxy and Uploader on 1 box • Quality of IdM is governed by MICS acceptability • i.e. must be of comparable LoA as TCS Personal • including eligibility requirements • Make sure superfluous keypairs are removed • only the proxy is needed, just like in the uploader case • remove MICS keypair when proxy generation completes • Portal security box acts like a UI to the user • only on explicit request of user & under user control • covered under PKP Guidelines – seems similar to the common ‘remote UI’ use case
Proliferation • Aim to have a limited number of credential management systems, for potentially many portals. But initially one for Italy • Leverage existing MICS CAs as far as possible • no new CA for each portal or portal instance • aim to leverage TERENA TCS eScience Personal • but policy compatibility should still be understood • acceptability of portal instance comes down to CA, i.e. not revoking the certs • it is the MICS CA policy that must be satisfied • PMA only looks at CAs (not at the portals, please)
Next steps • Updated design white paper will reflect changes • Prototype will be developed and demonstrated at later date to appropriate PMAs • Roberto C (and TCS PMA ;-) to study compatibilitywith TCS Personal Should be a significant step towards better usability!